Message173125
| Author |
Ramchandra Apte |
| Recipients |
Ramchandra Apte |
| Date |
2012年10月17日.02:24:04 |
| SpamBayes Score |
-1.0 |
| Marked as misclassified |
Yes |
| Message-id |
<1350440645.16.0.89770624373.issue16248@psf.upfronthosting.co.za> |
| In-reply-to |
| Content |
I made many mistakes in the original bug report. Here is a fixed one:
Because Lib/tkinter/__init__.py:1801 uses exec to execute code from a file, it has a security bug. It searches for the file in the home dir. Apparently, on my system, the $HOME variable is the same as the non-root one when running Python with root privileges using sudo.
Steps to reproduce:
create a file called .Tk.py in your home folder
Whatever code is in that file will be executed.
run these three lines of code in Python using sudo:
import tkinter
w = tkinter.Tk()
And the code in the .Tk.py will be executed (unless if you change the baseName for the Tk object)
There may be similar ways of running Python with root privileges preserving the environment variables in other OS'es
Using Kubuntu Linux (variant of Ubuntu Linux) 12.04 |
|
History
|
|---|
| Date |
User |
Action |
Args |
| 2012年10月17日 02:24:05 | Ramchandra Apte | set | recipients:
+ Ramchandra Apte |
| 2012年10月17日 02:24:05 | Ramchandra Apte | set | messageid: <1350440645.16.0.89770624373.issue16248@psf.upfronthosting.co.za> |
| 2012年10月17日 02:24:05 | Ramchandra Apte | link | issue16248 messages |
| 2012年10月17日 02:24:04 | Ramchandra Apte | create |
|